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Preface 



We would like to express a hearty welcome to all the participants of the 6th In- 
ternational Conference on Information Security and Cryptology (ICISC 2003). 
It was organized by the Korea Institute of Information Security and Cryptology 
(KIISC) and sponsored by the Korean Ministry of Information and Communi- 
cation, and was held at the Seoul Olympic Parktel, Korea from November 27 to 
28, 2003. As in the five previous years, it served as a forum to bring together 
researchers from academia and commercial developers from industry to discuss 
the current state of the art in information security and cryptology. 

The Program Committee received 163 submissions from 25 countries and re- 
gions (Australia, Austria, Belgium, Canada, China, Finland, France, Germany, 
Hong Kong, India, Indonesia, Iran, Italy, Japan, Korea, Netherlands, Malaysia, 
Poland, Russia, Switzerland, Singapore, Taiwan, Turkey, UK, and USA), of 
which 32 papers were selected for presentation. All submissions were anony- 
mously reviewed by at least 3 experts in the relevant areas. There were two 
invited talks, by Jonathan Katz and Jean-Jacques Quisquater. 

We are very grateful to all the Program Committee members who devoted 
much effort and valuable time to reading and selecting the papers. We also thank 
the external experts who assisted the Program Committee in evaluating various 
papers. We owe special thanks to Jung Yeon Hwang and Judy Kang for always 
being available when their helping hand was needed. 

Finally, we would like to thank all the authors who submitted papers to ICISC 
2003, including those whose submissions were not successful, and the participants 
who together made this conference an intellectually stimulating event through 
their active contribution. 
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Binary Tree Encryption: 
Constructions and Applications 



Jonathan Katz* 



Department of Computer Science 
University of Maryland 
College Park, MD, USA 

jkatzOcs .umd.edu 



Abstract. Binary tree encryption (BTE), a relaxation of hierarchical 
identity-based encryption (HIBE), has recently emerged as a useful and 
intriguing primitive. On the one hand, the definition of security for BTE 
is sufficiently “weak” that — in contrast to HIBE — constructions of 
BTE in the standard model are known. On the other hand, BTE is 
sufficiently powerful that it yields a number of applications which are 
important from both a theoretical and a practical point of view. 

This survey presents the basic definitions of BTE and also highlights 
some recent applications of BTE to forward-secure encryption, identity- 
based and hierarchical identity-based encryption, chosen-ciphertext se- 
curity, and adaptively-secure encryption. 



1 Introduction 

The notion of identity-based cryptography has long fascinated researchers [23]. 
Loosely speaking, in such a scheme any identity (i.e., bit-string) can serve as 
a public key. In somewhat more detail, there is a (trusted) private-key generator 
PKG who generates master system parameters pa rams along with a master secret 
key sk. For any identity id £ {0, 1}* the PKG can use sk to compute a secret 
key SKid corresponding to this identity. The pair ( id , SKid) then functions as 
a standard public-/private-key pair (with the important distinction that id can 
be any string!) whose functionality is determined by the underlying identity- 
based scheme. (The PKG would presumably authenticate the identity of the 
person claiming “ id ” before giving them the corresponding secret key SKid- 
However, this is outside the scope of the present discussion.) An identity-based 
system is secure (informally) if knowledge of the secret keys corresponding to 
any arbitrary-size set of identities X = {id \, . . . , id n } does not allow an adversary 
to “break” the scheme (in the appropriate sense) for any id' qL X. 

Shamir [23] was the first to suggest an implementation of an identity-based 
signature scheme. Following this, many provably-secure proposals for identity- 
based signature and identification schemes followed (e.g., [13, 16]); some of these 

* Portions of this work were supported by NSF grant #ANI-0310751. 
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constructions were recently generalized and expanded upon in [11]. Although 
these constructions are proven secure in the random oracle model, note that it is 
also possible to construct identity-based signatures in the standard model based 
on any “regular” signature scheme (see [11]). 

Recently, Boneh and Franklin [5] and Cocks [10] resolved a long-standing 
open problem by constructing the first identity-based public-key encryption 
schemes. Both of these constructions are proven secure in the random oracle 
model. Since encryption schemes are the focus of this article (and are more in- 
teresting in the sense that they are more difficult to construct), we consider only 
encryption from now on. 

It is natural to extend the notion of identity-based encryption (IBE) to in- 
clude hierarchical identity-based encryption (HIBE). In an HIBE scheme, the 
PKG (as above) issues secret keys to “first-level” identities id £ {0, 1}*; further- 
more, anyone knowing the secret key SK i dl corresponding to a “first-level” iden- 
tity id\ can issue a secret key SK idl ^ ld2 corresponding to any “second- level” iden- 
tity idi\\id 2 (for arbitrary id 2 £ {0, 1}*). More generally, let ID = (*di|| ■ ■ ■ ||*<i t ) 
and let SKjr> be the secret key corresponding to this identity. Then for any string 
idt+i £ {0,1}* and identity ID' = f (ID\\id t +i), knowledge of SKm enables 
computation of a key SKjn>. As before, in all these cases the pair (ID, SAT/d) 
functions as a “standard” public-/private-key pair. The security requirement is 
modified in the obvious way: now, one requires that knowledge of the secret 
keys corresponding to any arbitrary-size set of identities X = {ID i, . . . ,ID n } 
should not enable an adversary to “break” the scheme (in some appropriate 
sense) for any ID' having no ancestors in X, where the ancestors of an identity 
ID = (idi\ \ ■ ■ ■ || id n ) are all identities of the form (*di|| ■ • • \ \idi) for i < n. 

Horwitz and Lynn [17] were the first to suggest the notion of HIBE, and 
they also propose a partial solution handling identities of depth two. Gentry 
and Silverberg [14] were the first to give a complete solution to this problem, 
and they construct and prove secure a scheme supporting identities of arbitrary 
(constant) depth. Both of these constructions build on the IBE scheme of Boneh 
and Franklin [5], and both are proven secure in the random oracle model. 

1.1 Binary Tree Encryption 

It can be immediately noticed that the identities in a hierarchical identity-based 
scheme correspond in the natural way to nodes in a tree. Specifically, one may 
associate the PKG with the root of the tree, the “first-level” identities with 
the nodes of depth one (i.e., the children of the root), and the identity ID' = 
[idi 1 1 • • • | \idt+i) with a node at depth t + 1 which is the child of a node at depth t 
which is in turn associated with ID = (idi\ \ ■ ■ ■ \\idt). 

In a scheme as outlined above, the identity hierarchy yields a tree of un- 
bounded degree. In contrast, a binary tree encryption (BTE) scheme [7] — as 
the name suggests — considers only an identity hierarchy in the form of a bi- 
nary tree (i.e., a tree in which each node has degree two). Viewing BTE as 
a conceptual relaxation of HIBE, one obtains a scheme in which the PKG may 
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potentially issue secret keys to (only) two “identities”: 0 and 1. In turn, the 
“identity” 0 (with knowledge of the appropriate secret key SKq) can potentially 
issue secret keys for the “identities” 00 and 01; an analogous statement holds for 
the “identity” 1. More generally (and dispensing with the purely imaginary con- 
cept of “identities” here), the secret key SK W corresponding to the binary string 
w € {0, 1 } ( enables derivation of the secret keys SK w0 and SK W i corresponding 
to the strings ui0,w>1 £ {0,1}* +1 . As in the case of hierarchical identity-based 
encryption, each pair (w, SK W ) functions as a public-/private-key pair. A def- 
inition of security is developed in a way similar (but slightly different) to that 
discussed above in the context of hierarchical identity-based encryption; a formal 
definition appears in Section 2. 

“Relaxing” the notion of hierarchical identity-based encryption in this way 
turns out to be an incredibly powerful idea. For one, a BTE scheme supporting 
trees of arbitrary polynomial depth has recently been constructed and proven 
secure in the standard model [7] (recall that in the case of HIBE, only a scheme 
of constant depth with a proof of security in the random oracle model [14] is 
known) . The proof relies on a reasonable number-theoretic assumption (namely, 
the decisional bilinear Diffie-Hellman assumption) related 1 to that used by 
Boneh and Franklin in constructing their ID-based scheme [5] . This construction 
of a BTE scheme builds on the construction of Gentry and Silverberg with an 
important “twist”: because a binary tree is used (and because of a slight relax- 
ation of the security definition) , it is possible to replace the random oracle with 
a poly(fc)-wise independent hash function, a description of which is included as 
part of the master system parameters. 

Equally important, the “relaxed” notion of BTE is surprisingly powerful and 
suffices for a number of applications: 

— BTE was used to construct the first forward-secure encryption scheme [7] 
(indeed, the notion of BTE was introduced in the context of research di- 
rected toward solving this problem). Note that this is currently the only 
methodology known for achieving forward-secure encryption. 

— BTE implies both identity-based encryption as well as hierarchical identity- 
based encryption [7], albeit only with respect to a non- adaptive definition 
of security which is weaker than the definition originally proposed [5]. This 
results in the first constructions of IBE and HIBE schemes which may be 
proven secure in the standard model. 

— Recent work [8] shows that any IBE scheme (even if “only” secure against 
non-adaptive attacks) can be used to construct a standard public-key encryp- 
tion scheme secure against adaptive chosen-ciphertext attacks (i.e. , a CCA- 
secure scheme; cf. [3]). Given the result mentioned above, this yields a new 
construction of a CCA-secure encryption scheme in the standard model. In- 
terestingly, the construction seems not to follow the paradigms underlying 
all previous constructions of CCA-secure encryption schemes (cf. [12]). 



1 It is also possible to base a BTE scheme on the identical assumption used by Boneh 
and Franklin (in the standard model) at the expense of a loss in efficiency. 
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— Finally, it has recently been shown [9] how to construct an adaptively-secure 
encryption scheme with “short” keys (namely, with keys shorter than the 
length of all plaintext messages sent — in fact, the length of plaintext to 
be encrypted may be a priori unbounded) based on any forward-secure en- 
cryption scheme plus an NIZK proof system. 2 We comment that adaptively- 
secure encryption with “short” keys is impossible [21] unless some form of 
key-evolving techniques (such as those used in forward-secure encryption 
schemes) are used. 

It is hoped that the above results represent just the “tip of the iceberg” and 
that further applications of BTE will be developed. 

1.2 Outline 

The remainder of the paper is organized as follows. In Section 2, we give a formal 
definition of binary tree encryption as well as the corresponding definition of 
security. In Section 3, we state the known results regarding constructions of 
BTE. The applications of BTE, as highlighted above, are discussed in Section 4. 
The treatment given here is at a relatively high level; the interested reader is 
referred to the original papers [7, 8, 9] for additional information. 

2 Definitions 

Definitions related to identity-based encryption [5] and hierarchical identity- 
based encryption [14] are given elsewhere; for the purposes of understanding the 
definition of binary tree encryption, the informal descriptions provided in the 
Introduction should suffice. We thus begin with a formal definition of binary 
tree encryption (BTE), taken from [7]: 

Definition 1. A (public-key) binary tree encryption (BTE) scheme is a )-tuple 
of PPT algorithms (Gen, Der, Enc, Dec) such that: 

— The key generation algorithm Gen takes as input a security parameter l k 
and a value I for the depth of the tree. It returns a master public key PK 
and an initial (root) secret key SK e . (We assume that the values of k and i 
are implicit in PK and all node secret keys.) 

— The key derivation algorithm Der takes as input PK , the name of a node 
w G {0, l} <e , and its secret key SK W . It returns secret keys SK w q , SK W \ for 
the two children ofw. 

— The encryption algorithm Enc takes as input PK , the name of a node w G 
{0, 1}-^, and a message M . It returns a ciphertext C . 

— The decryption algorithm Dec takes as input PK , the name of a node w G 
{0, l}~ e , its secret key SK W , and a ciphertext C. It returns a message M . 

2 Interestingly, it is shown in [7] how to construct an NIZK proof system based on the 
same number-theoretic assumption used for the forward-secure encryption scheme. 
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For correctness, we require that for any (PK, SK e ) output by Ger\(l k ,£), any 
node w £ {0, 1}-^ and secret key SK W correctly generated for this node, and any 
message M, we have M = Dec(PK,w,SI\ w ,Er\c(PK,w,M)). 

The security notion for BTE is largely similar to the security notion for HIBE, 
with the key difference being that the present definition requires the attacker to 
commit to the node to be attacked (i.e., the “target node”) in advance , before 
seeing the public key and before asking any key exposure queries. This type 
of attack is called a selective-node (SN) attack. While the resulting definition 
is weaker than a definition which allows the adversary to adaptively select the 
target node, we stress again that this “weaker” definition suffices for all the 
applications mentioned herein. Furthermore, it is (in part) this weakening of the 
definition which allows for a construction of BTE in the standard model. 

Definition 2. A BTE scheme is secure against selective-node, chosen-plaintext 
attacks /SN-CPA/ if for all polynomially-bounded functions £(■) , the advantage of 
any PPT adversary A in the following game is negligible in the security parameter: 

1. A(l k ,£(k)) outputs a name w* £ {0, 1}-W of a node. 

2. Algorithm Gen(l fe ,£(fc)) outputs (PK, SK e ) . In addition, algorithm Der(- • •) 
is run to generate the secret keys of all the nodes on the path from the root 
to w* (we denote this path by P ), and also the secret keys for the two children 
of w* (if \w* | < £). 

3. The adversary is given PK and also the secret keys {SK W } for all nodes w 
of the following form: 

- w = w'b, where w'b is a prefix of w* and b £ {0, 1} (i.e., w is a sibling of 
some node in P); 

- w = w*0 or w = w* 1 (i.e., w is a child of w* ; this is only when |w;*| < £). 

( Note that this allows the adversary to compute SK w i for any node w' £ 
{0, that is not a prefix of w* .) 

4- The adversary generates a request challenge(Mo, M\). A random bit b is se- 
lected and the adversary is given C* = Enc (PK,w*,Mf). 

At the end of the game the adversary outputs b' £ {0, 1}; it succeeds ifb ’ = b. The 
adversary’s advantage is the absolute value of the difference between its success 
probability and 1/2. 

Security against chosen-ciphertext attacks (denoted SN-CCA) is defined as the 
obvious extension of the above; see [7] for details. 

3 Constructions of Secure BTE Schemes 

We limit ourselves to listing the known results regarding constructions of secure 
BTE schemes, and to a tabulation of their complexity (as a function of the 
tree depth); the reader is referred to [7] for further details. All constructions 
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mentioned below (indeed, all known constructions of BTE) rely on variants of 
the so-called Bilinear Diffie- Heilman (BDH) assumption. This assumption was 
first formally defined by Boneh and Franklin [5], motivated by earlier work of 
Joux [18] and Joux and Nguyen [19]. 

One of the main results of [7] is the following: 

Theorem 1. Assuming the decisional BDH assumption, there exists a BTE 
scheme secure in the sense of SN-CPA. 

It is easy to modify the construction so that it relies only on the (possibly 
weaker) computational BDH assumption (this may be done by using a hard- 
core predicate of the computational BDH problem, and encrypting bit-by-bit). 
However, this modification comes at the expense of a significant loss of efficiency. 

Two generic techniques for achieving chosen-ciphertext security for an arbi- 
trary BTE scheme have been proposed. The first [7] relies on non-malleable non- 
interactive zero-knowledge (NIZK) proofs, adapting an approach due to Naor 
and Yung [20] and Sahai [22] in the context of making “standard” public-key en- 
cryption schemes secure against chosen-ciphertext attacks. Interestingly, in the 
process of developing this solution it is also shown how non-malleable NIZK may 
be based on any publicly-verifiable trapdoor predicate (this notion, introduced 
by [11, 7] , generalizes the notion of trapdoor permutations) , and furthermore how 
the decisional BDH assumption naturally gives rise to such predicates. Putting 
this together gives the following result: 

Theorem 2. Assuming the decisional BDH assumption, there exists a BTE 
scheme secure in the sense of SN-CCA. 

Because the above relies on NIZK proofs of generic NP statements, it should 
properly be regarded as a feasibility result rather than as a method for construct- 
ing efficient schemes. Recently [8], a more efficient method for achieving chosen- 
ciphertext security for an arbitrary BTE scheme was proposed; this method (in 
particular) avoids any zero-knowledge proofs and instead relies on one-time sig- 
nature schemes (which may be constructed from any BTE scheme). This gives 
an alternate proof of the above theorem, via a more practical construction. 

The above results all hold in the standard model. If one is willing to as- 
sume the random oracle model, improved efficiency can be achieved. For one, it 
should be clear that any HIBE scheme which is secure for a non-adaptive choice 
of the target identity is also a BTE scheme; thus, the construction of [14] may be 
used. One way to view this is as simply replacing the poly(fc)-wise independent 
hash function in the construction of [7] by a random oracle (which, of course, 
is also a poly(fc)-wise independent hash function). This leads to improved effi- 
ciency since a poly(fc)-wise independent hash function is (relatively) expensive 
to generate and evaluate — in particular, requiring time 0(poly(fc)) — while for 
a random oracle these operations are all assumed to take time 0(1). Further- 
more, essentially the same scheme (with but one additional call to the random 
oracle) may be based on the (possibly weaker) computational BDH assumption 
rather than the decisional BDH assumption. Finally, improved efficiency is also 
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Table 1 . Summary of dependencies on the depth of the tree i 





Standard model 


Random oracle model 


Master key generation time 


0(1) 


0(1) 


Encryption/decryption time 


0(1) 


0(1) 


Key derivation time 


0(1) 


0(1) 


Ciphertext length 


0(1) 


0(1) 


Public key size 


0(1) 


0(1) 


Secret key size 


0(1) 


0(1) 



possible for BTE schemes achieving chosen-ciphertext security. See [7] for further 
details. 

For completeness, the asymptotic efficiencies of the two constructions secure 
in the sense of SN-CPA (i.e., in the standard model and in the random oracle 
model) are given in Table 1. 

4 Applications of BTE 

We briefly summarize the known applications of BTE. 

4.1 Forward Secure Encryption 

Cryptographic computations are often carried out on insecure devices for which 
the threat of key exposure represents a serious and realistic concern. In an ef- 
fort to mitigate the damage caused by exposure of secret keys stored on such 
devices, the paradigm of forward security was introduced [1, 4]. In a forward- 
secure scheme, the secret key is updated at regular periods of time (say, at the 
end of every day), while the public key remains fixed; such schemes guarantee 
that exposure of the secret key corresponding to a given time period does not 
enable an adversary to “break” the scheme (in the appropriate sense) for any 
prior time period. 

Although a number of forward-secure signature and identification schemes 
(beginning with [1, 4]) have been proposed, designing a forward-secure (public- 
key) encryption scheme seemed elusive. As outlined in [7], however, BTE schemes 
can be used to solve this problem, and to give efficient constructions of forward- 
secure encryption schemes. The basic idea is as follows: let N be the total number 
of time periods 3 for which the system will operate. Each of these time periods 
is associated with a node in a binary tree of depth [log N~\ in the following way: 
the i th time period will be associated with the i th node of the tree according to 
a pre-order traversal, We denote this node by (i). 

The secret key at period i will consist of: (1) the secret key for node (i) in the 
underlying BTE scheme; and also (2) the secret keys (in the underlying BTE 
scheme) for all right-children of the path from the root of the tree to ( i }. To 

3 We assume for simplicity that N is fixed in advance; in fact, an unbounded number 
of time periods can be supported [7]. 
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encrypt a message during period i, a sender simply encrypts it for the node (i) 
(again, using the underlying BTE scheme); note that decryption is possible since 
the secret key at period i includes, in particular, the secret key for node (i). It 
should be noted also that key updates can be done by erasing the secret key 
for node (i) and using the additional secret keys (i.e., those keys belonging to 
right-children of the path from the root to (i)) to derive the necessary keys for 
the next time period. Details are given in [7], where the following is also proven: 

Theorem 3. (Informal:) Given any BTE scheme secure in the sense of SN- 
CPA. the above construction yields a forward- secure encryption scheme. 

Since the above construction requires a binary tree of depth log N to support N 
time periods, the scheme itself has all parameters at most poly-logarithmic in the 
number of time periods (cf. Table 1). In fact, additional improvements are possi- 
ble. These improvements and various extensions of the above theorem, omitted 
here for lack of space, are given in [7]. 

4.2 (Hierarchical) Identity-Based Encryption 

It was noted earlier that any HIBE scheme is also trivially a BTE scheme, 
without any modification. Interestingly, one can also show that a BTE scheme 
is powerful enough to construct a full-fledged HIBE scheme [7] (or, as a special 
case, an identity-based scheme), albeit under a slightly weaker definition which 
requires a non-adaptive choice of the target identity. We sketch the construction 
here. An HIBE of depth t is constructed using a BTE of depth k ■ t, where k is 
the security parameter. Identities are hashed to strings of length at most k ■ t 
by applying a collision-resistant hash function H to the identities at each level; 
thus, the identity (*di|| • • ■ \\idf) is mapped to the string H{id\)\\ ■ ■ ■ || H(idi). It 
is not hard to show that this gives a secure HIBE, under the relaxed definition 
of security given above. In fact, because the target identity must be chosen in 
advance, it is enough for H to be a universal one-way hash function (whose 
existence is implied by any BTE scheme); thus, we have: 

Theorem 4. Assuming the existence of a BTE scheme secure in the sense of 
SN-CPA, there exists an HIBE scheme of arbitrary polynomial depth secure under 
a non-adaptive choice of target identity. 

4.3 Chosen-Ciphertext Security 

Recently, an interesting connection between identity-based encryption and se- 
curity against chosen-ciphertext attacks (for “standard” public-key encryption 
schemes) has been shown [8]. In particular, it was shown how any identity- 
based encryption scheme can be used to give a simple and efficient construction 
of a regular encryption scheme secure against chosen-ciphertext attacks (i.e., 
a “CCA-secure” encryption scheme). The resulting construction avoids the use 
of any generic NIZK proofs, and furthermore seems not to follow the paradigm of 
all previously-known constructions of CCA-secure encryption schemes (cf. [12]). 
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We describe the construction of a CCA-secure standard encryption scheme 
now: The public key of the scheme will be the master public key PK of the 
identity-based scheme, while the secret key SK is the corresponding master 
secret key. To encrypt a message m, the sender generates verification/signature 
keys (v k, sk ) for any one-time signature scheme, and encrypts m for “identity” 
vk (using the underlying identity-based scheme). The sender signs the resulting 
ciphertext C to obtain a signature <r, and sends (vk, C, a) to the receiver. 

The receiver first verifies that a is a correct signature on C with respect to vk ; 
if not, the ciphertext is rejected. Otherwise, the receiver uses the master secret 
key SK to generate a decryption key SK v k corresponding to the “identity” vk. 
Notice that it can then decrypt C using SK V ]~. 

The following is proven in [8]: 

Theorem 5. (Informal:) Given any identity-based, encryption scheme secure 
under a non-adaptive choice of target identity, the above construction yields 
a CCA-secure encryption scheme. 

Note that the identity-based scheme need only be secure against a non-adaptive 
choice of target identity; combined with Theorems 1 and 4, this results in a new 
construction of a CCA-secure encryption scheme in the standard model. 

It has already been noted above that a similar technique may be used to 
construct a BTE scheme secure against chosen-ciphertext attacks, starting with 
any BTE scheme secure in the sense of SN-CPA. Because this gives a slightly 
stronger result than that of Theorem 2, we state it here for completeness: 

Theorem 6. Assuming the existence of a BTE scheme secure in the sense of 
SN-CPA, there exists a BTE scheme secure in the sense of SN-CCA. 

See [8] for further details. 



4.4 Adaptively- Secure Encryption 

Standard definitions of secure encryption do not guarantee security in the case of 
adaptive corruptions. In a setting where such adaptive corruptions are possible, 
the encryption scheme should provide the additional guarantee that the infor- 
mation gathered by an adversary when corrupting parties (and, in particular, 
learning their secret keys) does not give it any additional advantage toward com- 
promising the security of the uncorrupted parties. Very roughly speaking, this 
requirement may be captured by the existence of a simulator that can generate 
“dummy” ciphertexts which it can later “open” (by revealing an appropriate 
secret key) to any given message. (Of course, this must be done in such a way 
that the revealed secret key “matches” the fixed public key.) Schemes achieving 
this notion of security are termed adaptively secure. We do not further motivate 
or describe the definition, but instead refer the reader elsewhere [2, 6, 21, 15, 9] 
for additional discussion. 

Nielsen has shown [21] that non-interactive adaptively-secure encryption (in 
the standard model) is “impossible” unless the secret key is as long as the 
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length of all plaintext messages that are sent. In particular, this implies that no 
adaptively-secure scheme supporting an a priori unbounded number of messages 
is possible. This result is in stark contrast to the case for encryption schemes 
which are not adaptively secure. 

It is possible to circumvent Nielsen’s impossibility result, however, by con- 
sidering key-evolving cryptosystems; i.e. , those in which the secret key evolves 
over time. This suggests using forward-secure encryption as a building block to- 
ward building adaptively-secure schemes. (Note that a forward-secure encryption 
scheme, by itself, is not necessarily adaptively secure.) In fact, a construction of 
an adaptively-secure encryption scheme based on any forward-secure encryption 
scheme has recently been given [9]: 

Theorem 7. (Informal:) Assuming the existence of a forward-secure encryp- 
tion scheme and an NIZK proof system for NP, there exists a non-interactive 
adaptively-secure encryption scheme for an unbounded number of messages. 

Since both a forward-secure encryption scheme as well as NIZK proofs may be 
based on the BDH assumption (cf. [7]), the BDH assumption suffices to imply 
the result of the theorem. 

More efficient constructions of adaptively-secure encryption, which avoid 
NIZK proofs altogether (but which in some cases require additional number 
theoretic assumptions), are also given in [9]. 
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Abstract. We present a threshold ring signature scheme (spontaneous 
anonymous threshold signature scheme) that allows the use of both RSA- 
based and DL-based public keys at the same time. More generally, the 
scheme supports the mixture of public keys for any trapdoor-one-way 
type as well as three-move type signature schemes. This kind of ‘sepa- 
rability’ has useful applications in practice as a threshold ring signature 
is no longer limited to support only one particular type of public keys, 
as required by all the previous schemes. In the paper, we also show that 
the signature maintains the anonymity of participating signers uncondi- 
tionally and is existential unforgeable against chosen message attacks in 
the random oracle model. 



1 Introduction 

Let us consider the following scenario. Suppose there are n users in a public- key 
system in which each of them has a public key pair for digital signature. Their 
public keys are generated independently without any coordination with others 
and therefore their keys may correspond to different security parameters. In 
addition, it is very likely that the keys are for entirely different signature schemes. 
For example, user 1 may have a key pair for 2048-bit RSA signature scheme [17], 
user 2 may have one for 1024-bit Digital Signature Algorithm [12], user 3 may 
have one for 163-bit ECDSA (Elliptic Curve Digital Signature Algorithm) [9], 
while user 4 may prefer to use one for 1024-bit Schnorr signature scheme [18]. 
Other users may pick key pairs for their favorable signature schemes other than 
the previous ones. Under this system setup, t users spontaneously form a group 
of n possible signers by arbitrarily choose n users including themselves, where 
n > t, and generate a signature for some message such that (1) any public 
verifier (who has all the n public keys) can tell if the signature is valid ( public 
verifiability)', (2) can identify who the t actual signers are even when all the 

* A part of this work was supported by a grant from CityU(Project No. 7200005). 
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private keys of the n possible signers in the group are known ( anonymity , signer- 
ambiguity) ; and (3) knowing only t — 1 private keys of the signing group is not 
enough for forging such a signature ( unforgeability , robustness). In this paper, 
we focus on solving the problem and we call the scheme a separable threshold 
ring signature scheme or spontaneous anonymous threshold signature scheme. 

The notion of ring signature was first formalized by R.ivest et al. in [16]. 
A ring signature scheme allows a signer to spontaneously form a group of sign- 
ers including himself and generate a signature such that any public verifier can 
tell if the signature is valid while cannot determine the actual authorship of 
the signature. In addition, the formation of a signing group does not require 
any coordination of group membership or any TTP (Trusted Third Party), and 
therefore can be formed by the actual signer without getting any consent from 
other diversion group members — spontaneity. The concept of spontaneity was 
absent from most previous results on threshold cryptography and threshold sig- 
nature schemes [7]. The signing group is formed with the intervention of the 
group manager and may also require coordination among group members. Also 
the group manager who always knows who the the actual signer is. In the ring 
signature, the absence of a group manager provides anonymity to the actual 
signer both inside and outside the signing group. 

A (t, n)-threshold ring signature [3] has the similar notion to the ring sig- 
nature. First, a (t, n)-threshold ring signature scheme requires at least t signers 
to work jointly for generating a signature. Second, the anonymity of signers is 
preserved both inside and outside the signing group. Third, those t participating 
signers can choose any set of n entities including themselves without getting any 
consent from those diversion group members. 

(Separability) An application is said to be separable if all participants can choose 
their keys independently with different parameter domains and for different types 
of signature schemes. The term separability was originated from [10] and was 
diversified in [5]. There exists weaker forms of separability. Partial separability 
allows only a subset of the participants to choose their keys independently and 
weak separability requires all participants to use common system parameters. [?] 
provides perfect separability, [10] provides partial separability and [5] provides 
weak separability. However, all of these schemes are group signature schemes 
and there is no corresponding variant of threshold ring signature schemes. 

There is another scenario: when all participants in an application choose 
their keys independently but requiring that all the keys are for one single type 
of signature schemes. For example, all keys have to be for a RSA-based signature 
scheme but they may have different key sizes. We say that the application has 
type-restricted separability. 



1.1 Our Contributions 

We present a (t, n)-threshold ring signature scheme (spontaneous threshold sig- 
nature scheme) that enjoys separability. In each signature, the public keys indi- 
cated can be for any trapdoor-one-way type and any three-move type signature 
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schemes. When compared with [3, 20], our scheme runs more efficiently and of- 
fers a smaller signature size in the general case. When compared with [4, 20], 
our scheme eliminates the need of an ideal cipher and costly domain adjustment. 
The assumption of the existence of an ideal cipher is stronger than the assump- 
tion of having random oracles. Our scheme is proven to be secure in the random 
oracle model [2]. 

The remaining of the paper is organized as follows. In Sec. 2, several ring 
signature schemes and threshold ring signature schemes are reviewed. This is fol- 
lowed by the formal definition of a secure (t, n)-thresholcl ring signature scheme 
in Sec. 3. Then we exemplify our scheme using some concrete setup and analyze 
its security in Sec. 4 and Sec. 5, respectively. In Sec. 6, the generic version of our 
separable threshold ring signature scheme is presented. We conclude the paper 
in Sec. 7. 



2 Related Work 

The notion of ring signature was first formalized by Rivest et al. in [16]. They 
also proposed an efficient ring signature scheme which support public keys for 
trapdoor one-way functions. Several other ring signature schemes were later pro- 
posed [3, 21, 1, 20]. Among these schemes, [1] supports the use of various flavors 
of public keys at the same time in one single ring signature. Their scheme allows 
the mixture of public keys for trapdoor one-way function based signature schemes 
(also known as trapdoor-one-way type signature schemes) and three-move type 
signature schemes such as Fiat-Shamir signature scheme [ ] and Schnorr signa- 
ture scheme [18]. 



2.1 Witness Indistinguishable Signature (WIS) [6] 

Although ring signature was first formalized in 2001 by Rivest, et al. [16], similar 
concept was actually raised earlier. In 1994, Cramer et al. [6] proposed a proof of 
knowledge protocol which consists of the properties of a threshold ring signature 
scheme at large. Their protocol lets a prover show that he knows solutions of 
at least t out of n problem instances without revealing which t instances are 
involved. Our (t, n)-threshold ring signature scheme follows its concept in the 
sense that the t participating signers show that they know at least t private keys 
corresponding to n public keys without leaking which ones they really are. 

The protocol proposed in [6] requires two mechanisms with certain security 
properties. The first mechanism is a proof of knowledge protocol taken between 
a prover and a verifier. For simplicity, it is assumed to be a three round public 
coin protocol where the prover speaks first. The three messages are denoted 
as m\ c and m" where c is referred to as a challenge generated by the verifier 
and m" is the prover’s final message which is referred to as the answer. By 
running this protocol, the prover tries to convince the verifier that he knows 
the solution (the witness), denoted by w, of a publicly known problem instance, 
denoted by x. One important property of the proof of knowledge protocol is 
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called honest verifier zero-knowledge. This property allows anyone on input x 
simulates the conversation (m! , c, m") in the way that it is indistinguishable from 
a real conversation between an honest prover and an honest verifier. 

The second mechanism is a secret sharing scheme. The scheme distributes 
a secret s among n participants. Each participant has one share. The shares are 
computed in such a way that knowing t (where t < n) shares can reconstruct s. 
One important property of the scheme is that given s and shares of any n — t 
participants, the shares of the remaining t participants can be reconstructed. 

Let P and V be the prover and verifier, respectively. The description below 
shows the major steps of the protocol of [6]. It allows P to show V that he 
knows solutions of t out of n question instances, denoted by xi, ■ ■ ■ , x n , without 
revealing which t instances are involved. Let A be the set of t question instances 
whose solutions are known to P. Let A be the set of the other n — t question 
instances whose solutions are not known to P. 

1. For each i £ A, as P does not know the solution Wi to question instance Xi, 
he simulates a conversation (m',Ci,m"). For each i £ A, P determines rn' 
as what an honest prover would send as the first message in the proof of 
knowledge protocol for the question instance Xj. P sends m' lt • • • , m' n to V. 

2. V randomly picks a binary string with appropriate length and denotes it 
as s, the secret. V sends s to P. 

3. Due to the important property of the secret sharing scheme described 
above, P considers s as the secret and Cj for * £ A as the n — t shares, and 
reconstructs the remaining t shares. These t shares are set to Cj for i € A. 
In Step 1, m " has produced for each i £ A. For each i £ A, P knows the 
witness Wi for Xi , and can therefore find a valid m " for m\ and c* by running 
the proof of knowledge protocol for common input Xi while behaving exactly 
like an honest prover. P sends the set of messages Cj, m", for 1 < * < n, to V. 

4. V verifies whether all conversations (m(, Cj, m"), for 1 < i < n, lead to accep- 
tance by honest verifiers in the corresponding proof of knowledge protocols. 
In addition, V checks if all the n shares are consistent with the secret s. He 
accepts if all these checkings are satisfied. 

It is also remarked in [6] that this protocol can be extended to an non- 
interactive forum (signature) by computing the challenge as a hash value of the 
message to be signed and the prover’s first message. 

In [1], Abe et al. presented an instantiation of [6] which is a ring signature 
scheme. In [4], Bresson et al. presented a threshold ring signature instantiation 
of [6]. In [3] , Bresson et al. proposed another threshold ring signature scheme with 
a different construction from [6]. It uses the concept of partitioning. In [20], Wong 
et al. proposed a threshold ring signature scheme using tandem construction 
method which can be considered as an extension of the ring signature scheme 
proposed by R.ivest et al. [.6]. It runs efficiently when t is near 1 or n. All of 
them support the use of public keys for only trapdoor one-way type signature 
schemes. They do not support public keys for three-move type signature schemes 
or the mixture of these two types of signature schemes. In other words, none of 
the current threshold ring signature schemes is separable. 
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In this paper, we propose a separable threshold ring signature scheme. In the 
following, we first specify the security requirements of a secure threshold ring 
signature scheme. 



3 Security Model 

Let k £ N be a security parameter and m £ {0, 1}* be a message. 

Definition 1 (Threshold Ring Signature Scheme). A (t , n) -threshold ring 
signature scheme is a triple ( Q , St, n , Vt,n) where 

— ( s,P ) <— G(l k ) is a probabilistic polynomial time algorithm (PPT) which 
takes as input a security parameter k, produces a private key s and a public 
key P. 

— a <— S, L, m) is a PPT which accepts as inputs a security parame- 

ter k, a set of private keys S , a set of public keys L including the ones that 
correspond to the private keys in S and a message m, produces a signature 
a. We require that |5| = t and \L\ = n where 0 < t < n. 

— 1/0 <— Vt jra (l fc , L, m, a) is a polynomial-time algorithm which accepts as in- 

puts a security parameter k, a set of n public keys L, a message m and 
a signature a, returns 1 or 0 for accept or reject, respectively. We require 
that Vt, n (l fe , L, 77i, tS’t,n(l fe , S, L, ro)) = 1 for any message m and any set S 
oft private keys in which each key is generated by and any set L of n 

public keys in which the public keys corresponding to all the private keys of 
S are included. 

For simplicity, we usually omit the input of security parameter when using St, n 
and Vt, n in the rest of the paper. 

L may include public keys based on different security parameters. The se- 
curity of the signature scheme defined above is set to the smallest one among 
them. Q may also be extended to take the description of key types. 

The security of a (t, n)-threshold ring signature scheme consists of two re- 
quirements, namely Signer Ambiguity and Unforgeability. They are defined as 
follows. 

Definition 2 (Signer Ambiguity). Let L = {Pi,---,P n } where each key 
is generated as ( Si,Pi ) <— G( l fei ) for some ki £ N. Let k = min(fci, • ■ • , k n ). 
A (t,n) -threshold ring signature scheme is unconditionally signer ambiguous 
if for any L, any message m, and any signature a <— St,n(S,L,m) where 
S C {sr , • • • , s ra } and | = t, any unbound adversary E accepts as inputs L, m 
and a, outputs i r such that s v £ S with probability t/n. 

It means that even all the private keys are known, it remains uncertain that 
which t signers out of n possible signers actually work jointly to generate a (t, n)- 
threshold ring signature. 
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Definition 3 (Unforgeability). Let L = {Pi, ■ ■ ■ , P n } be the set of n public 
keys in which each key is generated as ( Si,Pi ) <— Q{ l ki ) where ki £ N. Let 
k = min(fci, ■ ■ ■ , k n ). Let SO{L' , i\, ■ ■ ■ , if, m) be a signing oracle that takes 
any set L' of public keys, where L' C L and n' = \L'\, any t! signers indexed 
by ii,---,i t ’ where 1 < ij < n, 1 < j < t' and t' < n' , and any message m, 
produces a (t 1 ,n') -threshold ring signature a <— Sf ■ ■ ■ , §i t ,} , L' ,m) such 

that Vt',n'(L', m, cr) = 1. Let St- i be any set oft— 1 private keys corresponding 
to the public keys in L. A (t,n) -threshold ring signature scheme is unforgeable 
if, for any PPT A with signing oracle SO, for any L, and for all sufficiently 
large k, 

Pr[^4‘ so (l fe , L, St-i) — > (m,er) : 1 <- V t , n (L,m,a)\ < e(k) 

where e is some negligible function. Restriction is that ( L , i\, ■ ■ ■ , i t , m, a) should 
not be found in the set of all oracle queries and replies between A and SO for 
any 1 < ij < n, 1 < j < t. The probability is taken over all the possible inputs 
of A, oracle queries and coin flips of A. 

A real- valued function e is negligible if for every c > 0, there exists a k c > 0 such 
that e(k) < k~ c for all k > k c . 

We say that a ( t , n)-threshold ring signature scheme is secure if it satisfies 
the above requirements. 

4 The Separable Threshold Ring Signature Scheme 

Our scheme follows the concept of the three-round protocol in [6] (Sec. 2.1). In 
the following, we exemplify our separable threshold signature scheme by using 
a concrete setup which consists of the mixture of public keys for all RSA-based 
and DL-based signature schemes. In Sec. 6, we generalize it to support the mix- 
ture of public keys for any trapdoor one-way type and three-move type signature 
schemes. 

4.1 Concrete Setup: All RSA-based and DL-based Public Keys 

For i = 1, • • • , n, if user i has a DL-based key pair, his public key is ( pt , qi,gt, yf) 
and private key is Xi £ where Pi,qt are prime, <?i|(pi — 1), gt £ of order qt 
and yi = gf’ mod pi . We assume that the discrete logarithm problem modulo pt 
is hard. If user i has a RSA-based key pair, then his public key is (e^, Nf and 
private key is di where Ni is a product of two equal-length prime numbers 
and etdi = 1 (mod 4>{Ni)). We assume that the underlying RSA inverting 
problem is hard. Let Hi : {0, 1}* — > Zjv* be some cryptographic hash function. 
Let L be the set of all public keys of the n users. 

Let p be twice the bit length of the largest qt and iVj, for 1 < i < n. Let 
G : {0,1}* — > {0,1} P be some cryptographic hash function. Without loss of 
generality, suppose user j, for 1 < j < t, are participating signers and user i, 
for t + 1 < i < n, are non-participating signers. To generate a (t, n)-threshold 
ring signature on a message m € {0, 1}*, the t participating signers carry out 
the following steps. 
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The Signing Algorithm. 

1. For i = t+ 1, ■■ ■ ,n, pick a Gr {0, 1} P and Si Gr Zx where X = or X = Ni 
if user i has a DL-based key pair or a RSA-based key pair, respectively. 
Compute 

_ J gl'yl' mod Pi if user i has a DL-based key pair 

1 \ Hi(d) + sf* mod Ni if user i has a RSA-based key pair 

2. For j = 1, • • ■ , i, pick rj Gr Zx and compute 

J g rp mod pi if user j has a DL-based key pair 
\ rj if user j has a RSA-based key pair 

3. Compute cq = G(L, t, m, z±, ■ ■ ■ , z n ) and construct a polynomial / over 
GF(2 P ) such that deg (/) = n—t, /( 0) = cq and f{i) = c,, for t+1 < i < n. 

4. For j = 1, • ■ ■ , t, compute Cj = f{j ) and 

J rj — CjXj mod qj if user j has a DL-based key pair 

J [ ( rj — Hj(cj)) dj mod Nj if user j has a RSA-based key pair 

5. Output the signature for m and L as a = (si, • • • , s ni /). 

The Verification Algorithm. A verifier checks a signature a = (si, • • • , s n , f) 
with a message m and a set of public keys L as follows. 

1. Check if deg (/) = n—t. If yes, proceed. Otherwise, reject. 

2. For i = 1, ■ • ■ , n, compute d = f(i) and 

, _ J gl'yl' mod pi if user i has a DL-based key pair 

1 \ Hi(d) + s®* mod Ni if user i has a RSA-based key pair 

? 

3. Check whether /( 0) = G(L, t,m, z[,- ■ ■ , z n ). If yes, accept. Otherwise, reject. 

It is not difficult to see that this concrete setup can be generalized easily 
to support the mixture of public keys for all trapdoor-one-way type and three- 
move type signature schemes at the same time in a signature. A generic scheme 
is given in Sec. 6. 

5 Security Analysis 

We first define the following two problems and assume that they are hard in our 
concrete setup described above. 

Discrete Logarithm Problem (DLP). Let p and q be prime, q\{p— 1), and |g| = k 
where k is a security parameter. Let g G Z* of order q. Given an element h G Z* 
chosen at random, find an integer x such that g x = h (mod p) . 
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RSA Problem (RSAP). Let n = pq where p and q are two equal-length primes. 
Let e be a number such that e and are co-prime. Given an element y £ Z„ 
chosen at random, find an integer x such that x e = y (mod n). 

Theorem 1. The scheme in Sec. 4-1 is unconditionally signer ambiguous if all 
hash functions behave like random oracles [2], 

Proof. The polynomial /, with degree n— t, is determined by ct+i, • • • , c n and cq. 
ct- |-i, • • ■ , c n are randomly generated and cq is the output of the random oracle G. 
Thus / can be considered as a function chosen randomly from the collection of 
all polynomials over GF(2 P ) with degree n—t. Then the distributions of Ci, ■ ■ ■ , Cj 
are also uniform over the underlying range. 

For i = t + 1, • • • , n, Sj are chosen independently and distributed uniformly 
over Z.y where X = qi or X = Ni if signer i has a DL-based key pair or a RSA- 
based key pair, respectively. For j = 1, • • • , t, rj are chosen independently and 
distributed uniformly over Zx- Since rj are independent of Cj and the private 
keys Xj (DL-based private key) or dj (RSA-based private key), Sj, 1 < j < t , 
are also uniformly distributed. 

In addition, for any fixed message m and fixed set of public keys L , we can 
see that (si, • ■ • , s n ) has exactly 



n v, 

l<i<n 



possible solutions. Since the distribution of these possible solutions are indepen- 
dent and uniformly distributed no matter which t participating signers are, an 
adversary, even has all the private keys and unbound computing resources, has 
no advantage in identifying any one of the participating signers over random 
guessing. □ 

In the following, we show the unforgeability (Def. 3) in the case when all 
public keys are for DL-based signature schemes. 

Lemma 1 . Let a forger E be a probabilistic polynomial time machine. For some 
message m £ {0,1}* and a set of n public keys L corresponding to n signers, 
suppose E on inputs the private keys of any t— 1 signers among the n sign- 
ers, queries a signing oracle SO (specified in Def. 3) and a random oracle G 
polynomial times, and outputs a forged signature a (i.e. 1 <— Vt,n(L,m,cr)), 
with non-negligible probability pe- Then DLP can be solved with non-negligible 
probability in polynomial time. 

Proof in Appendix A. 

We will need the following definitions. 

The RSA-Collision Problem: Given an RSA public key (n, e) and a hashing 
function FI, produce (ci, si) ^ ( 02 , S 2 ) satisfying 7J(ci) + sf = H(c 2 ) + S 2 mod n. 

Remark: Under the random oracle model, the RSA-Collision Problem is 
equivalent to the Additive RSA Problem from [10]: Given an RSA public key 
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(n,e) and a random number r, produce (si,S 2 ) satisfying sf — s| = r mod n. 
The proof of this equivalence is straightforward and omitted. 

Now we show the unforgeability (Def. 3) in the case that all public keys are 
for RSA-based signature schemes. 

Lemma 2. Let a forger A be a probabilistic polynomial time machine. For some 
message m and a set of n public keys L corresponding to n signers, suppose A on 
inputs the security parameter k, the private keys of any t—1 signers among the n 
signers, queries a signing oracle SO (specified in Def. 3) for qs times, random 
oracle G for qc times and random oracles {i?i}i<i< n for qn times combined, 
and outputs a forged signature a (i.e. 1 <— Vt, n (L,m, a)), with non-negligible 
probability p a- Then RSA-Collision can be solved with non-negligible probability 
in polynomial time. 

Proof in Appendix B. 

Combining the two lemmas above and some additional derivations, we show 
that our scheme in the case of having the mixture of keys for RSA-based and 
DL-based signature schemes is unforgeable. 

Theorem 2. For a PPT forger T which simulates both forgers specified in 
Lemma 1 and Lemma 2, suppose T on inputs the security parameter k, the pri- 
vate keys of any t — 1 signers among n signers, queries signing oracle SO for qs 
times, random oracles Hi, 1 < i < n for qn times and G for qa times, and 
outputs a forged signature a with non-negligible probability pjr. Then a PPT D 
can be constructed from T that solves DLP or RSA-Collision with non-negligible 
probability. 

Proof. The proof is straightforward by combining the machines B and A 1 to- 
gether and replacing the key pairs of other signers to the mixture of RSA-based 
and DL-based ones. □ 

6 The Generic Separable Threshold Ring Signature 
Scheme 

In Sec. 4, we exemplify our scheme with support to the mixture of public keys 
for all types of RSA-based and DL-based signature schemes in a signature. In 
this section, we generalize it by presenting our Generic Scheme. The scheme can 
produce a signature which includes the mixture of public keys for any trapdoor- 
one-way type and three-move type signature schemes. In the following, we first 
review these two types of signature schemes due to [1]. 

Trapdoor-One- Way Type Signature Scheme. Let F be a trapdoor one-way 
function family indexed by a public key P and A -1 be the family of its inverse 
functions indexed by the corresponding private key s. Let Domain be a func- 
tion which accepts as input a function and returns the domain of the function. 
We require that for any m £ Domain(.F), m = T ,_1 (s, F(P,m)). Assume that 
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computing F^ 1 is hard without knowing s. For short, we define Fp(-) = F(P, •) 
and F7 l (•) = F~ 1 (s, •). Examples of trapdoor one-way type signature schemes 
include RSA [17] signature scheme, Rabin’s function [15, 19], etc. A signing algo- 
rithm 6> H , which takes a message m and the private key s, produces a signature 
a by 

a = F7\H(m)) 

where F[ : {0,1}* — + A is some appropriate cryptographic hash function and A 
is the range of F. The verification algorithm V H , which takes a message m, the 
public key P, and a signature a, produces a boolean output, 1/0. It outputs 1 
if H(m) = Fp(a), otherwise, 0. 

Three-Move Type Signature Scheme. Three-move type signature schemes 
are derived from three-move honest verifier zero-knowledge proofs. Fiat-Shamir 
signature scheme [8] and Schnorr signature scheme [18] belong to this type. The 
signing algorithm <S T , which takes a message m and a private key .§, produces 
a signature a = (s, c). It consists of three polynomial-time functions: A, FI 
and Z . Function A generates the first-move commitment as z = A(s, r) where r 
is some random number. P : {0,1}* — > A is a hash function which generates 
a non- interactive challenge as c = P(m, z). The size of A is assumed to be in the 
same magnitude as that of the space of the public key pair (s, P). Z generates an 
answer s = Z(s,r,c). The verification algorithm V T , which takes a message m, 
a signature a = (s, c) and a public key P, produces a boolean output. It involves 
a function V such that if the signature a is valid and correct, then 

c = P(m, V(P, s, c)). 

6.1 The Generic Scheme 

Let L = {Pi,---,P„} be a set of n public keys corresponding to n possible 
signers. For i = 1, • • • , n, let a + b denote the group operation of Abelian group 
Ai and a — b be the group operation with inverse of 6, for all a,b £ Ai. Domain 
A, depends on Fp. (trapdoor-one- way type) or Pi (three-move type) . 

Let p be twice of the largest | A/, 1 < i < n. Let G : {0, 1}* — ► {0, 1} P be 
some hash function. Without loss of generality, assume user i, for t+l < i < n, 
are non-participating signers and user j, for 1 < j < t, are participating signers. 
To generate a (t, n)-threshold ring signature on a message m, the participating 
signers with their secret keys {si, • • • , s*} carry out the following steps. 

Signing Algorithm. 

1. For i = t+l, ■ • • , n, pick c, £p {0, 1} P and s* £r Ai. Compute 

J V(Pi, Si, 0i(ci)) if user i has a Three-move Type key pair 
1 \ 9i(ci) + Fp i (si) if user i has a Trapdoor One-Way Type key pair 

where 9i : {0, 1}* — > Ai is some hash function which maps to some appro- 
priate range. 
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2. For j = 1, • ■ ■ , t, pick rj Gr Aj and compute 

{ A(sj , rj ) if user j has a Three-Move Type public key pair 
Tj if user j has a Trapdoor One-Way Type key pair 

3. Compute cq = G(L,t,m, z±, - • ■ , z n ) and construct a polynomial / over 
GF(2 P ) such that deg(/) = n — t, /( 0) = Co and /(*) = c,; for i = t+ 1, ■ • ■ , n. 

4. For j = 1, • ■ ■ , t, compute Cj = f(j) and 

f Z(§j, rj , Oj(cj)) if user j has a Three-Move Type key pair 
— { F7 l (jj — 9j(cj)) if user j has a Trapdoor One-Way Type key pair 

where 0j : {0,1}* — > Aj is some hash function which maps to some appro- 
priate range. 

5. Output the signature for m and L as a = (si, • • • , s n , /). 

Verification Algorithm. A verifier checks a signature a = (si, • • • , s n , f) with 
a message m and a set of public keys L = {Pi, ■ ■ ■ , P„} as follows. 

1. Check if deg (/) = n—t. If yes, proceed. Otherwise, reject. 

2. For i = 1, ■ ■ • n, compute Cj = /(*) and 

, f V ( Pi , Si, 6i(ci)) if user i has a Three-move Type key pair 

1 \ 9i(ci) + Tp^Si) if user i has a Trapdoor One-way Type key pair 

? 

3. Check whether /( 0) = G(L, ■ , z' n ). If not, reject. Otherwise, accept. 

7 Conclusion 

In this paper, we describe a ( t , n)-threshold ring signature scheme which is per- 
fectly separable. A signature produced by this scheme can include an arbitrary 
mixture of public keys which are for various flavors of traditional signature 
schemes. A concrete scheme of supporting the mixture of RSA-based and DL- 
based public keys with various security parameters is also given. The scheme 
is shown to be signer ambiguous and existentially unforgeable against chosen 
message attacks under the random oracle model. 
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A Proof of Lemma 1 

Proof. Suppose on inputs of any set of t — 1 private keys St- 1 , any set of n 
public keys L, in which the corresponding public keys of the private keys in 
St - 1 are included, and any binary string m G {0,1}*, there exists a PPT E 
that outputs a forged signature a = (si, • • • , s n , f ) such that deg(/) = n—t with 
non- negligible probability pe • We construct from E a PPT B that solves DLP 
with non-negligible probability. That is, given ( p,q,g,y ), B outputs an integer 
x such that g x = y (mod p) with non-negligible probability. 

To get the black-box E run properly, B needs to provide a set of t — 1 
private keys St- i, a set of n public keys L, in which the corresponding pub- 
lic keys of the private keys in St— i are included, and some binary string m 
as inputs. To do this, B randomly generates a set of n — 1 public key pairs 
TI = {(Xi,(j>i,qi, gi,yi))}i<i< n -i where Xi G Z 9i and yt = g Xi (mod pf). Next 
B randomly picks t — 1 private keys from U and denotes the set to be St- 1 - 
Then B sets L to be the collection of all the public keys in 77 and (p, q, g, y) 
and m to be an arbitrary binary string. Without loss of generality, let 7r index 
(p, 9, 9, V ) in L. 

Besides, B also simulates E's point of view by constructing the random oracle 
G and the signing oracle SO. We first describe the construction of the signing 
oracle SO. On inputs a set of public keys L where n = \L\, i\, ■ ■ ■ ,i t such that 
1 < ij < n for 1 < j < t and t < n, and some binary string m G {0, 1}*, the 
answer is simulated as follows. 

1. Randomly generate cq, Ct+ 1 , • • • , c n Gr {0, 1} P . 

2. Construct / over GF(2 P ) such that deg(/) = n — t and /( 0) = co, f(i) = Ci, 
for i = t + 1 , • • • , n. 

3. Compute a = /( 1), ■■■ ,c. t = f(t). 

4. Randomly generate Si Gr for i = 1, ■ • ■ , n. 

5. Compute zt = y') 1 mod pi for i = 1, • ■ • , n. 

6. Assign co as the value of G(L, t, m, z±, ■ ■ • , z n ). 

7. Output (si, - ■ ■ ,s n , f). 

The simulation fails if step 6 causes collision, that is, the value of co has 
been assigned before. This happens with probability at most qc/ 2 P where qc is 
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the number of times that the random oracle G is queried by E. Since E only 
queries G for polynomially number of times, the simulation is successful with 
overwhelming probability. 

Let 0. fl be the random tapes given to the signing oracle and E such that 
E outputs a forged signature. Notice that the success probability of E is taken 
over the space defined by 0, fl and the random oracle G. The forged signature 
contains a polynomial / where /( 0) = G(L, t, m, z\, ■ ■ ■ , z n ) for Zi = g Si y{ ^ 
(mod pi), 1 < i < n. With probability at least 1 — 2~ p , there exists a query 
G(L, t, m, Zi, ■ ■ ■ , z n ) due to the assumption of ideal randomness of G. Split G 
as ( G~,cq ) where G~ corresponds to the answers to all G-queries except for 
Co- By invoking E with ( 0,fl,G~ ) and randomly chosen Cg (y^ cq ) polynomial 
times p'{qG)/PE , E outputs at least one forged signature a' = (s[, ■ ■ ■ , s' n , f) 
with probability pe / p" (qo), due to the heavy-row lemma [13] where p' and p" 
are some polynomial functions. Since (0, fl, G~) is fixed, z\ to z n are unchanged 
for both runs. Therefore, B can compute the discrete-log x = (s w — s'„) / (c^ — 
c n ) mod q. 

To see that c' n y^ c „ (that is, /'(7r) y^ /M), we notice that since /'( 0) y^ /( 0) 
and the degrees of / and /' are limited to n — t, there is at least one value 
1 < j < n such that /'(;/) y^ f(j). The chance of having j = tt is 1/n if 
7 r is randomly chosen. Hence the probability of having B succeed is at least 
Pe / (np" {qc)) which is non-negligible. 

Notice that in the tape rewind simulation above, forking lemma [14] or ROS 
(Rewind-on-Success) lemma [11] can also be used to derive the success proba- 
bility of machine B. □ 



B Proof of Lemma 2 

Proof. Let A be a PPT adversary who can forge signatures with non-negligible 
probability at least 1/Q\{k) when given a security parameter k, n RSA en- 
cryption functions and strictly less than t of the matching decryption functions 
where Q\ is some polynomial. Assume A makes qa queries to G, qs queries to 
the signing oracle SO, and a total of qn queries to Hi, ■ ■ ■, H n combined. We 
construct from A a PPT M that solves t copies of RSA-Collision with respect 
to t different encryption functions with non-negligible probability. 

A successful forgery a = (si, • • • , s n , f) generated by A with Turing transcript 
T (including coin flip sequences) is called an Aforgery if the first appearance in 
T of the query G{L, t, m, z\, ■ ■ ■ , z n ) is the Ath G-query, 1 < £ < qG + qs- Note 
Ci = /(*), 0 <i<rv,Zi = Hi(a ) + s^, 1 < i < n. 

M simulates A’s point of view by making G, Hi, ■ • -, H n independent random 
oracles, and implements the signing oracle SO by our signing algorithm similar 
to the construction described in the proof of Lemma 1. Additional specifications 
of A4 will be presented after some technical definitions. 

For each f, 1 < t < qc + qs, M. makes a simulation run described below. 
Random oracles are started anew for each pass. 
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In the £-th pass, M simulates A to obtain a = (si, • • • , s n , /). Then it 
rewinds to the £-th G-query and resimulates A from there onward to obtain 

d’ = (si i ■ ■ ■ j s n , /). 

There exists £ such that the probability of A generating an Gforgery is at 
least l/(Qi(k)(qG + qs ))■ By the heavy-row lemma, the probability of returning 
two successful Gforgeries in the £-th pass is at least 1/(4 Q\{k){qc + qs ) 2 )- 

Consider the case where two successful Gforgeries, denoted a = (si, ■ • • , s n , f) 
and a = (si, • • • , s n , /), are returned in the £-th pass of the simulation. The 
collision-freeness of H implies that /( 0) ^ /( 0), and / ^ f . Since both polyno- 
mials have degree n — t, there exist at least t integers, 1 < i\ < • • • < it < n, 
such that f(ij) ^ f(ij ), 1 < j < t. In the rewind simulation, the inputs to the 
£-th G-query are identical to the first simulation. Therefore, Zi = Hi(ci) + s = 
Hi(cii ) + 1 < i < n. Therefore, M has obtained the T desired sets of RSA- 

Collisions Zi = Hi(ci)+s f = H^Cij+s^ and (a, s,) ^ (cj, Sj), for i £ {ii, • • • , i t }. 
The complexity of M. is qc + qs times that of A. and the probability of success 
of M is at least 1/(4 Q\{k){qc + qs) 2 )- □ 

Remark: We have proven that if A can solve RSA-Collision with non- 
negligible probability, then A can forge signatures. The technique will be dis- 
cussed in another paper. 
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Abstract. A group signature scheme allows a group member of a given 
group to sign messages on behalf of the group in an anonymous and 
unlinkable way. In case of a dispute, however, a designated group man- 
ager can reveal the signer of a valid group signature. Based on Song’s 
forward-secure group signature schemes, Zhang, Wu, and Wang proposed 
a new group signature scheme with forward security at ICICS 2003. Their 
scheme is very efficient on both communication and computation aspects. 
Unfortunately, their scheme is insecure. In this paper we present a se- 
curity analysis to show that their scheme is linkable, untraceable, and 
forgeable. 

Keywords: digital signature, group signature, forward security, crypt- 

analysis. 



1 Introduction 

In modern electronic society, digital signatures are playing an important role to 
provide integrity, authentication and undeniability for electronic transactions. 
Group signatures, first introduced by Chaum and van Heyst in [14] , are a special 
type of digital signatures. In such a scheme each group member of a given group 
is allowed to sign messages on behalf of the group in an anonymous and unlink- 
able way. To check the validity of a group signature, a receiver only needs to get 
the unique group public key. However, with the exception of a designated group 
manager , anybody else can neither identify the identity of the signer nor de- 
termine whether multiple signatures are generated by the same group member. 
Furthermore, in case of later disputes, the group manager can “open” a group 
signature and then reveal the true signer’s identity. 

From the viewpoints of verifiers, only a single group public key is needed to 
verify group signatures. On the other hand, from the viewpoint of the signing 
group, its internal structure is hidden from verifiers while the signers’ identities 
can be revealed, if necessary. In virtue of these advantages, group signatures 
have many potential applications, such as e-voting, e-bidding and e-cash etc [15, 
20, 23, 21, 13]. 



J.I. Lim and D.H. Lee (Eds.): ICISC 2003, LNCS 2971, pp. 27-39, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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Following the first schemes constructed in [14], a number of new group signa- 
ture schemes and improvements have been proposed [15, 9, 22, 10, 2, 3, 19, 8, 24, 
12, 7]. In [15], Chen and Pedersen constructed the first scheme which allows new 
members to join the group dynamically, and suggested to use group signatures 
in e-bidding. Camenisch and Stadler proposed the first group signature scheme 
that can be used for large groups, since in their scheme the group public key and 
signatures have lengths independent of the group size [9]. Based on the strong 
RSA assumption [16], Camenisch and Michels presented an efficient group sig- 
nature scheme in [10, 11]. Later, Kim et al. extended their scheme to support 
efficient member revocation [19]. Ateniese and Tsudik pointed out some obsta- 
cles that stand in the way of real world applications of group signatures, such 
as coalition attacks and member deletion [2], In fact, there have been several 
papers which focused on the problem of member deletion [19, 8, 4]. Ateniese et 
al. presented a provably secure group signature scheme in [3]. 

Song addressed two important problems in group signature schemes, i.e. , how 
to deal with exposure of group signing keys and how to efficiently revoke group 
members [24]. Here, a group signing key is referred to all secrets that enable 
a signer to produce group signatures in [24]. In fact, a group signing key consists 
of the membership secret and the group membership certificate [9, 3]. Based on 
the idea of forward secure signatures [1, 6, 17], Song constructed the fist two 
forward- secure group signature schemes. In such a scheme, the expected system 
life-time is divided into T time periods, and each group member’s signing key 
evolves over time. In time period j+ 1, the signing key skj + \ is updated from the 
signing key skj for time period j by using a public one-way function, and then 
skj is erased from the system. When the signing key skj is compromised, an 
attacker cannot sign messages with respect to any previous period. Especially, 
he cannot derive any previous signing key which corresponds to a time period i, 
i < j. Furthermore, Song also extended her schemes to support group member 
revocation. In Song’s schemes, the group public key is affected neither by signing 
key update, nor by group member join or leave. 

In [28], Zhang, Wu, and Wang proposed a newly efficient forward-secure 
group signature scheme. Since signatures of knowledge (refer to [9, 3]) are not 
used, their scheme is really very efficient on both computation and communi- 
cation aspects. For example, the total computation cost of their signature gen- 
eration and verification is only 7 modular exponentiations, while 36 modular 
exponentiations are needed in Song’s schemes. At the same time, they claimed 
that their scheme satisfies all the desired security requirements (see Section 2). 
However, we find this is not the fact. 

In this paper, we present a security analysis of Zhang- Wu- Wang group signa- 
ture scheme with forward security [28]. More specifically, we demonstrate that 
their scheme is linkable, untraceable and forgeable. We first identify an effective 
way that allows anybody to determine whether two group signatures are signed 
by the same group member. Then, we demonstrate that any group member 
can forge valid signatures which cannot be opened by the group manager. This 
implies that their OPEN procedure fails to trace malicious group members. Fur- 
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thermore, we prove that Zhang- Wu- Wang scheme is untraceable in essence , i.e., 
their scheme cannot meet the traceability if one just modifies OPEN procedure. 
Finally, under reasonable assumptions, a universally forging attack is presented. 
In this attack, even an outsider (not a group member) can forge valid group 
signatures on any messages of his choice. Therefore, Zhang- Wu- Wang scheme is 
insecure , though it is very efficient. 

The rest of this paper is organized as follows. In Section 2, we introduce the 
informal definitions of a forward-secure group signature scheme and the security 
requirements. Section 3 reviews Zhang- Wu- Wang scheme [28]. Then, our security 
analysis is presented in Section 4. Finally, Section 5 concludes this paper. 

2 Definitions 

A forward-secure group signature scheme involves a group manager , a set of group 
members , and a set of verifiers. The group manager (for short, GM) is responsible 
for admitting/revoking group members, and for opening group signatures to 
reveal the true signers. When a potential user registers with GM, he/she becomes 
a group member and then can sign messages on behalf of the group. A verifier 
checks the validity of a group signature by using the unique group public key. The 
computational capability of each entity is modeled by a probabilistic polynomial- 
time Turing machine. We now review the definitions of forward-secure group 
signature schemes and their security requirements as follows. For more formal 
definitions on this subject, please refer to [7]. 

Definition 1. A forward-secure group signature scheme is comprised of the fol- 
lowing procedures [9, 2, 3, 24, 28]: 

— SETUP : On input of a security parameter i, this probabilistic algorithm out- 
puts the initial group public key and the secret key for the group manager. 

— JOIN: An interactive protocol between the group manager and a user that re- 
sults in the user becoming a new group member. The user’s output is a group 
signing key, i.e., a membership secret and the corresponding membership 
certificate. 

— EVOLVE: An algorithm that on input a group signing key for time period j, 
outputs the corresponding group signing key for time period j + 1 . 

— SIGN: A probabilistic algorithm that on input a group public key, a group 
signing key, and a message m outputs a group signature on m. 

— VERIFY : An algorithm for establishing the validity of an alleged group sig- 
nature of a message with respect to a group public key. 

— OPEN : An algorithm that, given a message, a valid group signature on it, 
a group public key and the corresponding group manger’s secret key, deter- 
mines the identity of the signer. 

— REVOKE: An algorithm that on input a group member’s certificate, a group 
public key and the corresponding group manger’s secret key, outputs a revo- 
cation token that revokes the group member’s signing ability. 
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Definition 2. A forward-secure group signature scheme is secure if it satisfies 
all the following security requirements [2, 3, 24, 28]: 

— Correctness: Signatures produced by a group member using SIGN procedure 
must be accepted by VERIFY procedure. 

— Unforgeability: Only group members are able to sign messages on behalf of 
the group. 

— Anonimity: Given a valid group signature for some message, identifying the 
actual signer is computationally hard for everyone but the group manager. 

— Unlinkability: Deciding whether two different valid signatures were gener- 
ated by the same group member is computationally hard for everyone but the 
group manager. 

— Excupability: Even if the group manager and some of the group members 
collude, they cannot sign on behalf of non-involved group members. 

— Traceability: The group manager can always open a valid group signature 
using OPEN procedure and then identify the actual signer. 

— Coalition-resistance: A colluding subset of group members cannot generate 
a valid group signature that cannot be traced by the group manager. 

— Revocability: The group manager can revoke a group member’s signing 
ability so that this group member cannot produce a valid group signature any 
more after being deleted. 

— Forward security: When a group signing key is exposed, previously gener- 
ated group signatures remain valid and do not need to be re-signed. 



3 Review of Zhang- Wu- Wang Scheme 

3.1 SETUP Procedure 

The group manager (GM, for short) randomly chooses two large primes p\, P 2 of 
the same size such that p\ = 2p' x + 1 and P 2 = 2p 2 + 1, where both p\ and p' 2 are 
also primes. Let n = P 1 P 2 , and G = ( g ) be a cyclic subgroup of Z* . Usually, G 
is selected as the set of quadratic residues modulo n [10, 3, 24], i.e., g’s order 
ord(g) = p\p' 2 . GM randomly chooses an integer x as his secret key, and then 
sets his public key as y = g x mod n. GM selects a random integer e (e.g., e = 3) 
which satisfies gcd(e, (f(n )) = 1, and computes d such that de = 1 mod </>(n). Let 
h(-) be a publicly known coalition-resistant hash function (e.g., SHA-1, MD5). 
The expected system life-time is divided into T intervals and the intervals are 
publicly known, (c, s) = SPK{"f : y = g~ 1 }{ ) denotes the signature of knowledge 
of log 9 y on the empty message (see [9, 3] for details). Finally, the group manager 
publishes the public key ( y,n,g,e,hf),IDcM,T ) , where IDqm is the identity 
of the group manager. 

3.2 JOIN Procedure 

If a user, say Bob, wants to join the group, he executes an interactive protocol 
with GM. Firstly, Bob chooses a random number k £ Z* as his secret key, and 
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computes his identity IDs = g k mod n. Then, Bob generates the signature of 
knowledge (c, s) = SPK{k : IDb = g k }{ ) to show that he knows a secret 
value k to meet IDb = g k mod n. Finally, Bob keeps k privately and sends 
(. IDs , (c, s)) to the group manager. 

Upon receiving ( IDb,{c,s )), GM first verifies the signature of knowledge 
(c, s). If the verification holds, GM chooses a random number a £ Z*, and 
computes a triple (rs , sb , Wb 0 ) from 

tb = g a mod n, SB = a + rsx, wb 0 = {i’bIDgmIDb) - ' 1 ' mod n. 

Then, GM sends Bob (sb, Gb, u>b 0 ) via a private channel, and stores (sbDb, 
wb 0 ) together with ( IDs , (c, s)) in his local database. Bob accepts (sb, t"b, wb 0 ) 
as his initial membership certificate if the following two equalities hold. 

g SB = TBy rB mod n, and vbIDqmIDb = WB 0 ~ e mod n. (1) 

3.3 EVOLVE Procedure 

Assume that Bob has the group membership certificate (sb, £b, res, ) at time 
period j. Then at time period j + 1, he updates his group membership certificate 
as (sB,r B ,WB j+ J by computing 



w B 






{ w Bj ) e mod n (= ( r B ID G MlD B ) 



mod n) . 



(2) 



3.4 SIGN Procedure 

Let (sB,rB,u>Bj) be Bob’s group membership certificate at time period j. To 
sign a message m, Bob randomly chooses two numbers q 1,(72 £ Z*, and com- 
putes Zi,u,r±,r 2 ,r 3 as follows: 

z\ = g qi y q2 mod n, 
u = h(zi,m), 

r 2 = w'b- mod n, (3) 

ri = qi + ( sb + k) ■ u ■ h(r 2 ) (in Z), 

^3 = qi - r B ■ u ■ h(r 2 ) (in Z). 

The resulting group signature on m is er = (u, 7T,r2,r3,m, j). 



3.5 VERIFY Procedure 



Given a = (u, r \ , r 2 , ^ 3 , m, j ) , a verifier accepts it as a valid group signature on m 
if and only if u = h(z[, m), where z[ is computed by 



J — td 

~i — 11J GM 



Hr2) ri h{r 2 )-e 



9 



y r3 mod n. 



,T-j 



(4) 
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3.6 OPEN Procedure 

Given a group signature cr = (u,ri,r 2 ,r 3 ,m,j), if necessary, GM can open it 
to reveal the actual identity of the signer who produced the signature. GM first 
checks cr’s validity via VERIFY procedure. If cr is a valid signature, GM operates 
as follows to find the signer’s identity: 

(1) Compute ?7 = l/(it • h{r 2 )) mod <p(n ). 

(2) Compute z[ = IDq^ 2 ' 1 g ri r 1 ^ r2 ' > ' e y r 3 mo d n. 

(3) Search his database to find a pair ( ID B ,r B ) that satisfies the following 
equality: 

r B ID B = (g ri y r3 /z[) v mod n. (5) 

(4) If there is a tuple ( r B ,ID B ) satisfying the above equation, GM concludes 
that ID b is the identity of the actual signer. Otherwise, output _L. 



3.7 REVOKE Procedure 

If GM wants to revoke Bob’s membership certificate at time period j, he pub- 
lishes a revocation token (Rj,j) in the CRL (the Certificate Revocation List), 
where the value Rj is computed by 



Rj = ( r B ID B ) d 3 mod n. (6) 

Given a valid group signature a = (u,ri,r 2 ,r 3 ,m,j), a verifier can identify 
whether a is produced by a revoked group member. For this sake, he performs 
as follows: 

(1) Compute z[ = e y rs mod n. 

(2) Search all (Ri, i ) ( i ^ j) in CRL to check whether there is a Ri [i ^ j) such 
that the following equality holds: 

g ri y r3 = z[(Rf~ i ) u Hr2) mod n. (7) 

(3) If one such Ri ( i ^ j) is found, the verifier concludes that the signature cr 
is revoked, i.e. , it is generated by a group member after he is deleted. 

4 Security Analysis of Zhang- Wu- Wang Scheme 

In [28], Zhang et al. analyzed the security of their scheme, and concluded that 
their scheme satisfies all the security requirements listed in Section 2. However, 
we find that this is not the fact. 
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4.1 Linkability 

Let a = (u, ri, r2, r"3, m, j) and a = (ft, f\, F2, F3, fh, j) be two (valid) group sig- 
natures. To decide whether they are signed by the same group member, a verifier 
only needs to check whether the following equality holds. 

r 2 = f 2 mod n. (8) 

In fact, if both a and a are signed by the same group member, say Bob, 
according to SIGN procedure, we know that r 2 = (wB j ) uu mod n = f 2 mod n. 
So the above equality holds for er and a. 

On the other hand, we can show that if er and er are signed by two differ- 
ent group members, say Bob and Charlie, respectively, equation (8) unlikely 
holds. To prove this claim, on the contrary, we assume that er and er satisfy 
equation (8). Let Tb = g a mod n, rc = g a mod n, IDb = g k mod p , and 
IDc = g k mod p. Since er is signed by Bob, and ef is signed by Charlie, we 
have r 2 = (w_b 3 )“' u mod n , and f 2 = ( wc j ) u ' u mod n. From r 2 = f 2 mod n, we 

have {tbI DqmI D B)~ uudT 3 = ( rcIDGMlDc)~ uud,T 3 mod n. So, the follow- 
ing equation holds 

g (k-k+a-&)uud T -l = 1 mod n ( 9 ) 

Since ord(<?) = p\p' 2 , gcd (d, <f>{n )) = 1, and <fi(n) = ^p^p^, we know gcd(d, ord(g)) 
=1. At the same time, usually |/i(-)| = 160, and |pi| = \p' 2 \ ^ 255, thus we 
also have gcd(uu, ord(5)) = 1. Therefore, from equation (9), we conclude that 
ord(g)|(fc — k + a — a), i.e. , (k—k + a — a) = 0 or (fc — k + a — a) = b- ord(g) for 
some non-zero integer b. However, both cases unlikely happen, because ord (g) is 
the product of two large primes, a and a are random numbers selected by GM, 
and k and k are random numbers selected by Bob and Charlie, respectively. 

Furthermore, equation (8) can be generalized to link two signatures which 
are generated by the same group member at different time periods. That is, 
given two group signatures a = (u,ri,r 2 ,r 3 ,m,j) and a = (u, rq, 7^, ^3, fh, *) 
where j > i, one can know whether the same group member generated them by 
checking 

rl = mod n. (10) 



4.2 Untraceability 

In this section, we demonstrate an attack that enables a group member Bob to 
forge a valid certificate. Then, using this forged certificate, he can generate valid 
group signature on any message of his choice without being traced. Firstly, we 
note that it seems difficult to forge a new pair (fs, Ss) so that the first equation 
in (1) is satisfied, since Bob does not know GM’s secret key x. However, Bob 
can change the values of wb 0 and IDs , and get a new certificate. For this sake, 
he chooses a random number a £ Z n , and defines wb 0 , IDb and k as follows: 

Wb 0 = WB 0 g a mod n, IDs = IDs • g~ ae mod n, k = k — ae T (in Z). (11) 
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In the following, we show that the tuple (s B , tb, w B o ) with respect to ( ID B ,k ) 
constitutes a valid group membership certificate. Firstly, it is easy to know 
that IDg = ID B g~ ae mod n = g k ~ a ' e mod n = g k mod n. Secondly, we 
have g SB = r B y TB mod n. Finally, the following equalities hold 

r B ID GM IDB = ( vbIDgmIDb ) ■ g~ aeT mod n 

_ T _ T 

= wb 0 e ■ g ae mod n 

T 

= ( wb 0 ■ g a )~ e mod n 

T 

= w Bq mod n. 

Therefore, according to JOIN procedure, Bob obtains another new certificate 
(s B ,r B ,WB 0 ) with (ID B ,k). Using this tuple ( SB,r B ,WB 0 ,ID B ,k ), Bob can 
generate valid group signatures on arbitrary messages. According to OPEN pro- 
cedure, when such forged signatures are presented, Bob will not be traced as 
the signer since r B ID B ^ r B ID B mod n. Therefore, the OPEN procedure pro- 
vided by [28] fails to trace such malicious group members. A natural question is 
whether we can improve this OPEN procedure such that it can reveal the identi- 
ties of malicious group members. Unfortunately, the answer is negative. In other 
words, Zhang- Wu- Wang scheme is untraceable in essence, i.e., two malicious 
members may forge the same valid but untraceable group signature on a given 
message. More formally, we have the following theorem. 

Theorem 1. Using the above attack, the forged group signatures generated by 
two malicious members for the same message are perfectly indistinguishable. 

Proof: We only need to prove that if Bob forges a group signature a on a mes- 
sage m, Charlie can also generate it by using our above attack. For simplicity, let 
sk B ,j = (s B , r B ,yJ Bj , ID B ,k), and fsk B ,j = (s B , rB,w Bj ,ID B ,k), where w Bj = 
Wg ,_ i mod n = Wg g mod n, and w Bj = ti}^ mod n = u>g o mod n. sk B ,j and 
fsk B ,j denote Bob’s signing key and forged signing key at time period j, respec- 
tively. Here, w Bo ,IDb and k are computed by Bob as in the above attack, i.e., 
Bob selects a random number a and calculates the values of them from equa- 
tion (11). To forge a group signature on message m, he randomly chooses two 
numbers q\,q 2 &r Z*, and computes zi = g qi y q2 mod n, u = h(zi,m), r 2 = 
w mod n, rq = qi + ( s B + k)uh(r 2 ) (in Z), and r^ = qq — r B uh{r 2 ) (in Z). 
<7 = (u, r\, r2, r 3 , m, j) is the resulting forged group signature on message m. 

Now, we show that Charlie can forge a group signature cr' on the same mes- 
sage m such that o' = o, if he chooses an appropriate number a' to define his 
forged signing key, and two specific numbers q[ and q' 2 to produce group signa- 
ture. Let sk G ,j = ( sc, re , w Gj , IDc , k') be Charlie’s signing key at time period j, 
where s G = of + r G x, rc = g a mod n, IDc = g k mod n, w Gj = Wc a mod n, 
and wc 0 = ( rcIDcMlDc)~ d mod n. To forge a new membership certificate, 
Charlie first sets a' = a — (k + a — k! — a') ■ e~ T mod ord(g). This means that 
there exists an integer l such that k! + a' — a'e T = k + a — ae T + l ■ ord(g). And 
then, according to equation (11), he defines u>c 0 ,IDc and k' as follows: 

wc 0 = w Co g a mod n, IDc = IDcg~ a e mod n, k! = k! — a! e T (in Z). (12) 



